Data Residency and Encryption

Stable

How SPG99 protects data in transit and at rest, and what to clarify when you have compliance requirements.

Updated: March 5, 2026

Two things matter to the user: how data is transmitted over the network and how it is protected in the platform storage layer.

Protecting data in transit

In the normal user scenario, SPG99 uses protected protocols:

HTTPS for Console and the Control Plane API;
TLS for PostgreSQL connections to Gateway;
managed certificates on key internal service links in the platform.

The practical conclusion is simple: normal work with SPG99 is already built around encrypted channels, and plaintext connections are not treated as a standard scenario.

Protecting data at rest

The durable database state lives in the platform storage layer: stateful components and object storage. The encryption-at-rest policy depends on the managed environment and the storage settings used there.

For the user, this means:

data is not stored only on the local disk of a single compute instance;
protection at rest is provided by the platform layer and the storage services it uses;
if you have specific requirements regarding residency or encryption attributes, it is best to confirm them in advance with the platform team or in the contractual environment.

What is important to remember

sslmode=require in the DSN is the minimum safe baseline;
API keys and tenant credentials must be stored separately;
compliance requirements are better checked before production launch, not after migration.

Why SPG99 Architecture Roadmap Documentation Blog